iPhones will pretty much trust any computer they're plugged into.

Plugging your phone into a charger should be pretty safe to do. It should fill your phone with electricity, not malware. But researchers from Georgia Institute of Technology have produced fake chargers they've named Mactans that do more than just charge your phone: they install custom, malicious applications onto iPhones.

Their bogus chargers—which do, incidentally, charge the phone—contain small computers instead of mere transformers. The iPhone treats these computers just as it does any other computer, but instead of just charging, it responds to USB commands. It turns out that the iPhone is very trusting of USB-attached computers; as long as the iPhone is unlocked (if only for a split second) while attached to a USB host, then the host has considerable control over the iPhone.

The researchers used their USB host to install an app package onto any iPhone that gets plugged in. iOS guards against installation of arbitrary applications with a strict sandboxing system, a feature that has led to the widespread practice of jailbreaking. This attack doesn't need to jailbreak, however.

Instead, it takes advantage of the system that Apple devised to permit developers to deploy applications to their own devices for testing purposes. Deploying such applications requires the creation of a provisioning profile. A provisioning profile identifies a specific phone and a specific application, allowing the named application to run on the named device. These provisioning profiles are generated by Apple and installed over USB.

The malicious charger interrogates the attached iPhone to read its UDID, the unique ID number that identifies a particular iPhone. It then sends the UDID to Apple's Web page that generates provisioning profiles. With the provisioning profile in hand, it can deploy the provisioning profile to the phone, and then deploy the malicious app identified by the provisioning profile.

Though the malicious app is still sandboxed, it doesn't have to pass through Apple's normal application vetting process, and so it can still do plenty of useful malicious things. The demonstration showed a malicious Facebook app that replaced the real Facebook app with a trojaned version. The trojaned version could then do things like take screenshots of the iPhone whenever passwords are being entered, and simulate key presses to, for example, dial numbers without user intervention.

There are limits to this kind of attack. As well as requiring the phone's screen to be unlocked, the generation of the provisioning profile requires the attacker to have a valid developer account. Each developer account can only generate provisioning profiles for 100 different phones, and there's no facility to remove a UDID that's associated with a developer's account.

This will tend to limit the attacks to specific ones against individual users, rather than widespread, indiscriminate attacking. In principle, a Mactans charger could be made to look identical to an official Apple charger; a suitably motivated attacker could replace proper chargers with the malicious chargers to attack targets' phones.

Apple has responded to this research by making the iPhone a little less trusting. Instead of trusting any USB host that it's connected to, iOS 7 will prompt users the first time, asking if they want to trust the currently connected computer. This notification will immediately disclose that a charger isn't a charger at all, but in fact a Mactans-like device.

iOS 7 devices are a little bit more suspicious than their iOS 6 brethren.

92 Reader Comments

Wait! Here's an idea... what if... you DIDN'T plug your phone into an oversized charger you didn't recognize??

Hmmmm... (chin stroke).

I find this entire discussion BEYOND ridiculous.

Anyone dumb enough to plug their phone into an uncontrolled charger deserves the butt whooping its going to give them. Hell even prior to malware distributing chargers you would have to be a moron to blithely cram a non standard connector into your phone without considering power damage, connector issues etc., etc.

Unlike other platforms/phones, Apple doesn't give their phones away as loss leaders. My phone cost a freaking fortune comparatively. You bet I'm careful about where I plug it. I even refuse to buy the cheap generic chargers because I sweat power issues. You're only one cheap Chinese made voltage regulator away from a non warranty replacement.

"What is this here? An oversized charger of unknown origin? Wonder what that big black spider icon means on the top? I think I'll just plug my phone in and see what happens. While its charging, I think I'll just wander over to the rest stop restroom and have unprotected fun with anonymous people. I'm sure that's safe."

Wait! Here's an idea... what if... you DIDN'T plug your phone into an oversized charger you didn't recognize??

Hmmmm... (chin stroke).

I find this entire discussion BEYOND ridiculous.

Anyone dumb enough to plug their phone into an uncontrolled charger deserves the butt whooping its going to give them. Hell even prior to malware distributing chargers you would have to be a moron to blithely cram a non standard connector into your phone without considering power damage, connector issues etc., etc.

Unlike other platforms/phones, Apple doesn't give their phones away as loss leaders. My phone cost a freaking fortune comparatively. You bet I'm careful about where I plug it. I even refuse to buy the cheap generic chargers because I sweat power issues. You're only one cheap Chinese made voltage regulator away from a non warranty replacement.

"What is this here? An oversized charger of unknown origin? Wonder what that big black spider icon means on the top? I think I'll just plug my phone in and see what happens. While its charging, I think I'll just wander over to the rest stop restroom and have unprotected fun with anonymous people. I'm sure that's safe."

Pulease.

Mad Scotsman

In your rant, you've missed the plausible point, being that this device spoken about could eventually be shrunken down into the small charger package (mimicking the original; it happens, look up CIA and USSR copier machines) you get with an iPhone/iPad and then could replace your stock or after-purchase charger buy as a means of infection, control or even eavesdropping. Reading helps guy.

Wait! Here's an idea... what if... you DIDN'T plug your phone into an oversized charger you didn't recognize??

Hmmmm... (chin stroke).

I find this entire discussion BEYOND ridiculous.

Anyone dumb enough to plug their phone into an uncontrolled charger deserves the butt whooping its going to give them. Hell even prior to malware distributing chargers you would have to be a moron to blithely cram a non standard connector into your phone without considering power damage, connector issues etc., etc.

Unlike other platforms/phones, Apple doesn't give their phones away as loss leaders. My phone cost a freaking fortune comparatively. You bet I'm careful about where I plug it. I even refuse to buy the cheap generic chargers because I sweat power issues. You're only one cheap Chinese made voltage regulator away from a non warranty replacement.

"What is this here? An oversized charger of unknown origin? Wonder what that big black spider icon means on the top? I think I'll just plug my phone in and see what happens. While its charging, I think I'll just wander over to the rest stop restroom and have unprotected fun with anonymous people. I'm sure that's safe."

Pulease.

Mad Scotsman

In your rant, you've missed the plausible point, being that this device spoken about could eventually be shrunken down into the small charger package (mimicking the original; it happens, look up CIA and USSR copier machines) you get with an iPhone/iPad and then could replace your stock or after-purchase charger buy as a means of infection, control or even eavesdropping. Reading helps guy.

LOL... take your own advice, "guy".

Bluffing your way into corporate headquarters to swap out chargers? Infiltrating the RNC/DNC?

ROTFL.

Paranoid? Much?

It's a complete non-starter. Less than 50 lines of code on the Apple website and it's a dead issue.

"Eventually" phones will be evolve into another form factor entirely, and be chargeable by the motion of our bodies. But that's too many years away to worry about.

As other posters have pointed out very well, anyone going through THIS much trouble and spending this kind of coin would be after bigger fish and would have much heavier resources.

This is not the "holy grail" of having hacked an unbroken iPhone that it's being sold as. I notice the giant "Sponsored by Windows 8" ad in the upper left hand corner of the banner page. LOL.

Wait! Here's an idea... what if... you DIDN'T plug your phone into an oversized charger you didn't recognize??

Hmmmm... (chin stroke).

I find this entire discussion BEYOND ridiculous.

Anyone dumb enough to plug their phone into an uncontrolled charger deserves the butt whooping its going to give them. Hell even prior to malware distributing chargers you would have to be a moron to blithely cram a non standard connector into your phone without considering power damage, connector issues etc., etc.

Unlike other platforms/phones, Apple doesn't give their phones away as loss leaders. My phone cost a freaking fortune comparatively. You bet I'm careful about where I plug it. I even refuse to buy the cheap generic chargers because I sweat power issues. You're only one cheap Chinese made voltage regulator away from a non warranty replacement.

"What is this here? An oversized charger of unknown origin? Wonder what that big black spider icon means on the top? I think I'll just plug my phone in and see what happens. While its charging, I think I'll just wander over to the rest stop restroom and have unprotected fun with anonymous people. I'm sure that's safe."

Pulease.

Mad Scotsman

In your rant, you've missed the plausible point, being that this device spoken about could eventually be shrunken down into the small charger package (mimicking the original; it happens, look up CIA and USSR copier machines) you get with an iPhone/iPad and then could replace your stock or after-purchase charger buy as a means of infection, control or even eavesdropping. Reading helps guy.

LOL... take your own advice, "guy".

Bluffing your way into corporate headquarters to swap out chargers? Infiltrating the RNC/DNC?

ROTFL.

Paranoid? Much?

It's a complete non-starter. Less than 50 lines of code on the Apple website and it's a dead issue.

"Eventually" phones will be evolve into another form factor entirely, and be chargeable by the motion of our bodies. But that's too many years away to worry about.

As other posters have pointed out very well, anyone going through THIS much trouble and spending this kind of coin would be after bigger fish and would have much heavier resources.

This is not the "holy grail" of having hacked an unbroken iPhone that it's being sold as. I notice the giant "Sponsored by Windows 8" ad in the upper left hand corner of the banner page. LOL.

Call it what it is:

Kludge.

MS

The research group is more than likely focused on such applications which you briefly scoff at, such as deep organizational infiltration with such a device or a topology of target public, etc.. Your ignorance to the applications, especially in a miniature form factor, isn't surprising. Lastly, guy, if you don't like the chitchat reflecting on the concept, why not click to an article that perhaps suits your limitless knowledge on all that is invasive of the concept of privacy or security in hardware that you believe suits you---simple fix, right? Then you can relieve the rest of us interested in discussing the implications or whatnot to do so without unnecessary, inflammatory or irrelevant rants.

An interesting hack, but it could easily be shutdown by Apple. Particularly because it requires a developer account. It can't spread. It requires plugging the phone in to an untrusted charger. When such a charger is found in a public place like an airport or corporate environment, it could certainly be tracked to whoever placed it there.

If someone is going to this extreme, they might as well swap your phone for an identical duplicate with malware installed.

An interesting hack, but it could easily be shutdown by Apple. Particularly because it requires a developer account. It can't spread. It requires plugging the phone in to an untrusted charger. When such a charger is found in a public place like an airport or corporate environment, it could certainly be tracked to whoever placed it there.

If someone is going to this extreme, they might as well swap your phone for an identical duplicate with malware installed.

It would be quite a challenge to make an exact duplicate of a phone. All the apps, settings, highscores, messages and call logs - not to mention any scratches the target would recognize.

I'm still not convinced this makes more sense than a trojan on the targets computer though (which could both harvest information and infect any connected phones).

An interesting hack, but it could easily be shutdown by Apple. Particularly because it requires a developer account. It can't spread. It requires plugging the phone in to an untrusted charger. When such a charger is found in a public place like an airport or corporate environment, it could certainly be tracked to whoever placed it there.

If someone is going to this extreme, they might as well swap your phone for an identical duplicate with malware installed.

It would be quite a challenge to make an exact duplicate of a phone. All the apps, settings, highscores, messages and call logs - not to mention any scratches the target would recognize.

I'm still not convinced this makes more sense than a trojan on the targets computer though (which could both harvest information and infect any connected phones).

Point taken, though there are many folks who have an iOS device and don't connect it to a computer.

And this just proves why a hacker would prefer to exploit androids. Even if i did want to grab someones facebook pass i would rather go through cross site scripting or fake login or if you want to get this close to trading a charger you would be better off taking over the router and rerouting them, or sniffing...instead of physically fake chargers that leave a path from the hacker either from the device or the dev account.

And this just proves why a hacker would prefer to exploit androids. Even if i did want to grab someones facebook pass i would rather go through cross site scripting or fake login or if you want to get this close to trading a charger you would be better off taking over the router and rerouting them, or sniffing...instead of physically fake chargers that leave a path from the hacker either from the device or the dev account.

And this just proves why a hacker would prefer to exploit androids. Even if i did want to grab someones facebook pass i would rather go through cross site scripting or fake login or if you want to get this close to trading a charger you would be better off taking over the router and rerouting them, or sniffing...instead of physically fake chargers that leave a path from the hacker either from the device or the dev account.

What does that have to do with android vs ios?

Well I developed iphone apps and it's annoying issues such as how apps are "sandboxed" from the OS are actually good, in that even going throw all the work for this attack you still dont end up with a "virus" other wise the attacker would put something more useful on the device like a keylogger that mails back to the attacker or call recording which would be more possible on a more "open" device such as a android which is good and bad for being open to allow the user and apps freedom.

Hackers think of majority, ease of exploitation and how powerful/useful their exploits can be. As for Majority Androids low price devices and allowing their software on tons of makers devices makes their OS have more devices then IOS/apple just like windows vs mac. Ease of exploitation and power of this exploit the attacker would really have to go out of his way and as well leave a trail and it would most likely be for a targeted attack such as a apple store or building with employees using apple devices....or just one user.

Most likely situation...crazed boyfriend signing up for developer account and having a girlfriend sleep over just to secretly plug her phone into his laptop and erase her facebook and add his fake Facebook app JUST to get her login and check her mail all the time. The fact that he couldnt duplicate all the facebook app programing and design he would have to come up with a fake login and then making the app crash or seem to freeze after every time from there. And that situation is once again mostly a user issue and not a device "bug/exploit".

Cool security feature - but every time i plug in??? I use my work computer to charge during the day, and I dont have admin access to it, so I cant install iTunes or the support drivers form the phone, so it asks me every single time I plug in 8( Cant it remember one I trust?